Bug 454988 - formencode 1.0 breaks chained validators
formencode 1.0 breaks chained validators
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: python-formencode (Show other bugs)
9
All Linux
high Severity high
: ---
: ---
Assigned To: Toshio Ernie Kuratomi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-11 06:39 EDT by Felix Schwarz
Modified: 2008-07-17 10:15 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.0.1-1.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-17 10:15:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Felix Schwarz 2008-07-11 06:39:36 EDT
Description of problem:
Formencode 1.0 breaks chained validators which do not use partial validation.
This is an known bug for upstream and was fixed in 1.0.1
(http://www.formencode.org/news.html). 

Please update python-formencode to 1.0.1 as this will break many applications
which do use chained validators. This may even be a security problem for Fedora
users because the chained validators are never called!
Comment 1 Fedora Update System 2008-07-11 12:55:36 EDT
python-formencode-1.0.1-1.fc9 has been submitted as an update for Fedora 9
Comment 2 Toshio Ernie Kuratomi 2008-07-11 13:10:22 EDT
New package built for F-9 and RawHide.  Security team will approve and then it
will be pushed to stable.  If necessary, people can retrieve the package from
the "Build link" on this page before the package goes out::

  https://admin.fedoraproject.org/updates/F9/pending/python-formencode-1.0.1-1.fc9
Comment 3 Toshio Ernie Kuratomi 2008-07-14 17:58:06 EDT
Brief description of the problem for the security response team:

The formencode package allows people to write validators[1]_.  Among other
places that these are used is within the TurboGears web framework.  Thus, this
bug will affect any TurboGeats applications shipped by Fedora or built on top of
the formencode-1.0 packages shipped with F-9/

In the TurboGears context, validators are used to check that input from a user
is in a form that the application expects.  This can consist of transformations
(from a string into an integer, for instance) and checks (making sure that input
is a valid email address, that it only contains alpha numberic ASCii characters,
or that the input specifies a valid value within a database, for instance.)

This particular bug affected a class of validators known as chained validators.
 These validators run after the other validators and are capable of checking
that multiple values meet a validity check as opposed to only a single value. 
As an example, let's say the user is providing a timestamp, key and log message
to a method add_new_log().  A chained validator might check that the combination
of key and timestamp was not already recorded to avoid overwriting and losing
existing logs.

With the bug in formencode-1.0, the chained validator that checked for this case
would silently fail to run which means that overwriting of data might be possible.

_[1]: http://formencode.org/Validator.html
Comment 4 Toshio Ernie Kuratomi 2008-07-14 18:25:08 EDT
Another scenario.  I've written a cgi script that reads certain files from my
home directory and displays them on a web page.  Because I'm not a very good
programmer my script takes a directory relative to my home directory and a
filename of information from the user and displays what's in there if the first
line of the file is "PUBLIC".  The script has two sets of validators:

The first set checks that the directory will fall within my home directory and
that the filename doesn't contain any special characters like path separators.

The second set is two chained validators that makes sure that "PUBLIC" is the
first line of the file and that the actual file is not a sym link to somewere else.

Because of this bug, not only is any file in the home directory exposed but, if
I have a sym link to a directory somewhere else in the filessytem, any file in
that directory is exposed as well.
Comment 5 Fedora Update System 2008-07-15 08:16:43 EDT
python-formencode-1.0.1-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update python-formencode'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6312
Comment 6 Fedora Update System 2008-07-17 10:15:47 EDT
python-formencode-1.0.1-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.